On 1/11/21 3:22 PM, Konstantin Belousov wrote: > The branch main has been updated by kib: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=2e1c94aa1fd582fb8ae0522f0827be719ff5fb67 > > commit 2e1c94aa1fd582fb8ae0522f0827be719ff5fb67 > Author: Konstantin Belousov <[email protected]> > AuthorDate: 2021-01-08 22:40:04 +0000 > Commit: Konstantin Belousov <[email protected]> > CommitDate: 2021-01-11 23:15:43 +0000 > > Implement enforcing write XOR execute mapping policy. > > It is checked in vm_map_insert() and vm_map_protect() that PROT_WRITE | > PROT_EXEC are never specified together, if vm_map has MAP_WX flag set. > FreeBSD control flag allows specific binary to request WX exempt, and > there are per ABI boolean sysctls kern.elf{32,64}.allow_wx to enable/ > disable globally. > > Reviewed by: emaste, jhb > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D28050
Relnotes: yes (or maybe do an update to RELNOTES?) To be clear though, this doesn't set the default to enforcing W^X, it just adds a knob that can be set to enforce that on most binaries. My guess is that the plan is to get some testing/exposure of this on head (e.g. doing an exp-run with this set would probably be a good test?) and then flip the default to enable this restriction in the future? -- John Baldwin _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
